Compliance: Data security and data privacy

August 2023

NetApp has a long-held and ongoing commitment to compliance with the ever-evolving set of global, regional, and data security and privacy standards and regulations. We uphold this commitment through self-assessments and rigorous audits by independent accredited third parties. These audits validate the adherence of our products and services to the requirements of such standards as ISO/IEC 27001, the GDPR, and the Common Criteria. These assessments help demonstrate NetApp’s integration of internationally recognized processes and best practices in our business, enabling customers to use our products and services regardless of their compliance needs.

NetApp supplies information for each compliance offering (listed at left) that includes a list of in-scope software and hardware and links to the relevant certificates and auditor’s reports.

Get a complete list of all NetApp services, hardware, and software that comply with global, regional, and industry-specific data security, engineering, and privacy regulations and standards governing the collection and use of data. 

NetApp is committed to respecting consumers’ privacy rights and operating in compliance with global data privacy laws, including the California Consumer Privacy Act (CCPA) and its expansion, the California Privacy Rights Act (CPRA). Our contractual commitments to legal compliance, include our Privacy Policy and customer contracts. These are based on whether we are collecting customers’ personal data or acting as a service provider to customers who are collecting personal data. We back these contractual commitments with processes and policies designed to comply with the CCPA and CPRA.

NetApp ONTAP data management software is the first enterprise-class storage solution validated by the Commercial Solutions for Classified (CSfC) Program. It enables enhanced security protection for data at rest at both the hardware and software layers. The CSfC Program is a key component of the U.S. National Security Agency (NSA) commercial cybersecurity strategy. It validates commercial products that meet the rigorous security requirements for protecting classified secret and top-secret data.

Continuing a certification tradition dating back to 2005, when NetApp Data ONTAP was first certified, NetApp has achieved Common Criteria (ISO/IEC 15408-1:2009) certification for its storage software and hardware products. Independent accredited testing laboratories audited NetApp products and certified their compliance with Common Criteria. NetApp government and government contractor customers can rely on our Common Criteria certification for their purchasing requirements.

NetApp ONTAP was first certified in 2005 by the U.S. Defense Information Systems Agency (DISA). DISA placed in-scope NetApp products on the U.S. Department of Defense Information Network Approved Products List (DoDIN APL). Certification of NetApp products to the DoDIN APL enables U.S. defense agencies and organizations supporting the defense industrial base to use them with confidence.

Amazon FSx for NetApp ONTAP is authorized for U.S. Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) Impact Levels 2, 4, and 5 in the Amazon Web Services (AWS) GovCloud (US) Regions and Impact Level 2 in AWS US Regions.

Both Amazon FSx for NetApp ONTAP (through Amazon Web Services) and Azure NetApp Files^® (through Microsoft Azure and Microsoft Azure Government) have obtained a P-ATO from the Joint Authorization Board (JAB), the primary governance body for FedRAMP.  

Amazon FSx for NetApp ONTAP has FedRAMP authorization at the High and Moderate Impact Levels for AWS US Regions and the High Impact Level for AWS GovCloud (US) Regions. Azure NetApp Files® has FedRAMP authorization at both High and Medium Impact Levels for Azure commercial cloud services and a High Impact Level for Azure Government cloud services. 

FIPS 140 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware, and NetApp offers cryptographic modules that have achieved FIPS 140 validation. NetApp offers a variety of hardware, software, and services and therefore takes a variety of approaches to FIPS 140 compliance. For example, for covered software, NetApp includes cryptographic modules that have achieved level 1 validation for the encryption of data in transit and at rest.

NetApp maintains a comprehensive strategy for compliance with data privacy laws, including the EU General Data Protection Regulation (GDPR). We back our commitments through organizational and engineering measures designed to respect the rights of data subjects and securely process personal information in compliance with the GDPR and our European regulators. Whether your enterprise is a data controller or data processor, NetApp products and services offer the tools necessary to implement programs that support your compliance with the GDPR. We back these commitments with a number of customer contracts.

Customers managing data regulated under the Health Insurance Portability and Accountability Act (HIPAA) can take advantage of a variety of NetApp products and services for storage management.

To support the HIPAA compliance of NetApp services , Net App relies on our SOC 2 Type 2 certifications by an independent third party. SOC 2 reports offer assurance to customers that NetApp controls reasonably protect the confidentiality and privacy of user information processed by NetApp systems. NetApp solutions with SOC 2 Type 2 reports may also be available to covered entities or business associates for their management of protected health information. 

Annually, NetApp engages an accredited certification body, which has certified that the NetApp Information Security Management System demonstrates conformance to the ISO 27001 standard. Our auditor has verified that NetApp policies, procedures, and controls maintain the privacy, security, integrity, and availability of information.

After an extensive audit, the accredited certifying body INFOCERT has renewed the certification of NetApp^® StorageGRID^® to the French accounting standard NF Logiciel (NF203). This renewal includes certification to the international standard for how products are developed, tested, and validated, ISO/IEC 25051.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all companies that process, store, or transmit credit card information through the five major payment card brands. Instaclustr™ by NetApp^® has been certified as compliant with the PCI DSS at Level 1—the highest level of transactions. 

NetApp products and services are audited regularly against the SOC 2 (AT Section 101) standard by an independent certified public accountant firm and services auditor. They examined NetApp in-scope cloud and managed services, and affirmed that they have achieved SOC 2 reports based on the applicable Trust Services Criteria.